Configuring G Suite

The integration of Phishing Protection into Google G-Suite requires the configuration of G Suite to allow third party filtering. If this step is not completed you will receive a DMARC error.

Unauthenticated email from domain.com is not accepted due to
domain's DMARC policy. Please contact the administrator of
domain.com domain if this was a legitimate mail. Please visit
https://support.google.com/mail/answer/2451690 to learn about the
DMARC initiative. f67-v6si16760856plb.460 - gsmtp

This happens when the sending domain has a DMARC record which specifies the "reject" policy (p=reject) for unaligned mail. Google's DMARC enforcement only considers the IP address connecting directly to it for delivery (us) and since we're not listed in the SPF record of the sending domain Google will reject the mail.

The solution is to configure G Suite to allow us to be an inbound gateway, which signals to G-Suite that our IPs are a trusted relay and relaxes their DMARC enforcement. Since we enforce DMARC on the mail we receive this poses no additional risk of unauthenticated mail reaching your users. Google's instructions on how to configure us as an Inbound Gateway can be found here:

NOTE: this feature requires your domain be subscribed to G-Suite Basic or higher and so is not available to customers using the legacy free edition of Google Apps.

Skip the first step, "Set up MX records and configure gateway server". If your domain is not already configured to relay mail to us please follow the instructions provided in your client area to do so.